Poor old Tesco. After posting falling profits at the end of last year, they are now the latest victim of data theft, with over 2,000 customers’ Clubcard data hacked, and vouchers nicked from wide open accounts.
It has been reported that a list of 2,239 Tesco.com accounts was published on Pastebin yesterday with some customers complaining of being thrown out of their own accounts and that their vouchers have gone missing.
Tesco said that it was “urgently investigating” the situation: “We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this,” Tesco said in a statement.
“We will issue replacement vouchers to the very small number who are affected.”
While Tesco are coming under fire for this breach, it is probably not really Tesco’s fault. It is believed that hackers obtained username/email address and password data through other hacks, and then applied the hacked data to the Tesco’s database- gaining entry to those accounts who may have used the same password/email address combination.
Trey Ford, global security strategist at Rapid7, told The Register that the breach highlighted again the danger of reusing passwords across multiple accounts.
“The attackers seem to have picked up usernames and passwords that were leaked after breaches of other, potentially unrelated organisations, and by trying them on Tesco’s site, they were able to compromise 2,239 Tesco.com customer accounts,” he said.
“So far the information available indicates that the impact of this has been relatively limited – stolen vouchers – but if attackers have tried this on Tesco.com, the chances are they are also trying it on other sites too and so we may see additional fallout.”
Nevertheless, customers of Tesco’s facebook page have suggested a lack of confidence in the security of Tesco.com’s online shopping portal, and that they may be turning elsewhere.
Tesco was already under data breach fire this week after accidentally emailing a list of customers who were attempting to buy a trampoline without bcc-ing the email addresses- sharing around 300 email addresses between complete strangers at any one time. One customer claimed to have received the email five times, gaining access to a list of 1500 Tesco customers’ email addresses.
GreatFire.org, a group which focuses on China-based freedom of speech, said in a statement that Microsoft search engine, Bing, was filtering search results for search terms like “Dalai Lama”, on behalf of the Chinese authorities (who think that the Dalai Lama is a violent political separatist).
Microsoft said it was a system fault that had removed some search results for users outside China and this is nothing like that time they censored the Chinese versions of their smartphones and Skype. Nothing at all.
“Due to an error in our system, we triggered an incorrect results removal notification for some searches noted in the report but the results themselves are and were unaltered outside of China,” Stefan Weitz, senior director for Bing.
You’ll notice that Weitz didn’t say whether or not they’d fixed the problem or, indeed, if the Bing team have any intention of sorting this out.
And what did Microsoft tell China? Well, they sent out an edited version of their statement to Chinese media organisations and handily omitted any references to GreatFire.org. Why? A China-based Mircosoft spokesperson said: ”There were too many points in the original statement.”
It goes without saying that China isn’t too keen on social media networks and censorship is not something Chinese governments have ever shied away from. This means that any internet companies wanting to work there have to be careful or cavalier. They usually choose ‘careful’ because there’s a lot of money to be made from the Chinese market. Still, you have to assume that the comment sections on Chinese website aren’t a cesspit of flaccid yelling and people saying “everything isn’t as good as it used to be!”, which is something.
Thank goodness that there’s absolutely no examples of internet giants kowtowing to governments in the West, eh?
This six-week pilot scheme promises that the technology will allow staff to “deliver the industry’s most high tech and personalised customer service yet”.
Staff will use a purpose-built dispatch app built by SITA and the Virgin Atlantic passenger service system, in a bid to make everything more efficient and give customers more information when needed, provided you find yourself in the Upper Class Wing.
Dave Bulman, director of IT, Virgin Atlantic, said: “Our wearable technology pilot with SITA makes us the first in the industry to test how Google Glass and other wearable technology can improve the customer experience. We are upholding Virgin Atlantic’s long tradition of shaking things up and putting innovation at the heart of the flying experience.”
It also seems like staff will be able to walk around filming customers with Glass too and that all that lovely information about who is flying could be used for marketing gains and whatnot. If you see one of these concierges, be sure to ask them if they’re recording you at all.
Beleaguered Barclays are staring down the barrel of yet more fines after they stated that they’re looking into the reasons why 27,000 of their customers had their data stolen and flogged by bad people on the black market.
According to a statement, they said they’d notified regulators over the data breach and started their own probe.
“This appears to be criminal action and we will co-operate with the authorities on pursuing the perpetrator,” said Barclays.
If you had any dealings with Barclays Financial Planning wing (which closed in 2011) and haven’t heard from the bank yet, it would be worth getting in touch to see what you need to do or, indeed, to see what free stuff you can get by way of compensation.
The Barclays statement continued: ”Protecting our customers’ data is a top priority and we take this issue extremely seriously. We would like to reassure all of our customers that we have taken every practical measure to ensure that personal and financial details remain as safe and secure as possible.”
Cyber-attacks on financial institutions are becoming more frequent, but it seems our banks are slow to react to the whole thing, so maybe, just to be on the safe side, we should start drawing all our money out and hiding it under the bed and asking our banks to burn all our details in a huge pyre in a town square.
Do you like playing games on your phone, such as Angry Birds? Well, it has been reported that you users of these apps are leaving their personal info wide open so that governments can secretly harvest all your lovely data.
This comes from the infamous former NSA bod, Edward Snowden. He says that officials from the NSA (and its UK counterpart GCHQ) have developed ways of nabbing your personal details through games and apps so they can find out your age, location and, in some cases, political views and sexual orientation.
NSA officials told The New York Times: “The NSA does not profile everyday Americans as it carries out its foreign intelligence mission. Because some data of US persons may at times be incidentally collected in NSA’s lawful foreign intelligence mission, privacy protections for US persons exist across the entire process.”
Meanwhile, NBC have also stated that GCHQ showed off a pilot program to the NSA where they monitored YouTube in real time while collecting addresses from the billions of videos watched daily. They were also able to snoop on Facebook and Twitter too.
They called this monitoring program “Squeaky Dolphin,” which is presumably a bid to make the whole thing sound funny should the truth of the matter end up being leaked to the public.
They said: “Recently, a select number of Microsoft employees’ social media and email accounts were subjected to targeted phishing attacks. This type of attack is not uncommon, and many companies grapple with phishing attempts from cybercriminals.”
“While our investigation continues, we have learned that there was unauthorized access to certain employee email accounts, and information contained in those accounts could be disclosed.”
Of course, the Syrian Electronic Army (do they still have conscription?) were behind this attack, even though Microsoft weren’t prepared to mention them by name and they’ve already posted up snippets of what they stole. The SEA also reckon they took enough info to get back into Microsoft’s social media accounts and emails too.
“If we find that customer information related to those requests has been compromised, we will take appropriate action. Out of regard for the privacy of our employees and customers – as well as the sensitivity of law enforcement inquiries – we will not comment on the validity of any stolen emails or documents,” Microsoft continued.
It has been reported by other people (take note, lawyers) that a weakness in Google’s Chrome browser is allowing people to use our computer’s microphone to spy on us. Google denies this outright, but they would. Developers on the other hand aren’t having it.
“Even while not using your computer – conversations, meetings and phone calls next to your computer may be recorded and compromised,” says Israeli developer Tal Ater.
Basically, if a site isn’t being honest about using your mic (as in, it switches it on, even though you haven’t given permission to), that’s when the trouble starts.
“When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden pop-under window,” Ater wrote. “This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there.”
Chrome remembers your settings for secure sites, so these pop-under windows won’t need continual permission from users.
Ater says he’s contacted Google, but they’ve yet to fix the situation. The Reg asked Google for a comment and they said: ”The security of our users is a top priority, and this feature [the blinking red dot on tabs] was designed with security and privacy in mind.”
If you’re at all worried about this, there’s an easy fix until Google get it sorted – go to your settings, hit click ‘show advanced settings’ then ‘content settings’, then click “Do not allow sites to access my camera and microphone” and that should do it.
According to The Guardian, Spotify, using sensors on the listener’s body or in their smartphone, will turn that into appropriate music. If things progress, there are plans afoot to even start monitoring your patterns and mood.
It’s all a tad mental and a slide into a too much information-style future, where Spotify will be able to detect that Swans’ The Seer may not be quite the thing to work out to, and will offer tunes they feel more suited to it.
Will they, like most humans, be able to detect that Licensed To Ill will help you run ten miles on a treadmill (albeit never being able to walk again afterwards)? Bitterwallet thinks not.
The Guardian goes on to claim that Spotify might – somewhat creepily – “automatically generate playlists based on activities such as workouts, driving, sleeping or late-night working, without user interaction.” And no doubt chalk up another tiny cheque for the artist as a bonus.
WHO ISN’T A WINNER HERE, EH?
Do you have an EE Brighbox router? Well, listen up – the company have had to confess that there’s a flaw in them that could allow a hacker to easily and remotely access your account and personal information.
This vulnerability affects both the Brightbox 1 and 2 routers and a British security researcher – Scott Helme – stumbled across it points out that a ne’er-do-well could get into your router without any fuss at all.
All that is needed to attain admin control is a WiFi password, which of course, can be obtained by phishing. Then, if the hacker was feeling peevish, they could get enough info to mess around with your subscription, meaning that they could rack up loads of costs for you, cancel it or whatever else it is that hackers do to get their kicks.
Around 300,000 users are affected and EE themselves have said that they now aware of this weakness and that customers should “remain vigilant”. A spokesperson said: “As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date.”
“We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection.”
Addendum: To access an account, a caller must verify their identity to one of our customer service agents. An email or username, which is the only information a third party could access, is not accepted as an account identifier.